How is CVE-2026-10898 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page to a target Chrome instance. Authentication (not-required): No credentials or account are required to deliver the malicious page to the target browser. Victim interaction (required): The target user must navigate to or open the crafted HTML page, making this a social-engineering-dependent attack. Attack complexity (info): Exploitation is rated high complexity because it requires the attacker to have already compromised the Chrome renderer process before triggering the GPU overflow.

What is the impact of CVE-2026-10898?

A successful attacker escapes the Chrome sandbox and executes arbitrary code at the privilege level of the browser process. With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the browser on the host. The attacker can write to the filesystem or modify browser-managed data, including saved passwords and stored cookies. The attacker can crash or destabilize the browser process, causing a denial of service for the affected user.

Back to search

HIGHCVE-2026-10898Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10898: Stack buffer overflow in GPU in Google Chrome prior to 149

Stack buffer overflow in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the GPU component of Google Chrome (versions prior to 149.0.7827.53) is reachable over the network and requires no authentication. An attacker who has already compromised the Chrome renderer process can trigger the overflow by delivering a crafted HTML page, which enables a sandbox escape giving the attacker code execution at the privilege level of the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle a Chromium or Chrome runtime. Any image pinned to a Chrome version below 149.0.7827.53 is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 8.3 (HIGH) and surfaces it with full vector detail for engineering review. Per-environment compliance policy weighting is applied to prioritize routing, so the alert reaches the team responsible for browser-runtime images inside each customer organization.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page to a target Chrome instance.
AuthenticationNot required
No credentials or account are required to deliver the malicious page to the target browser.
Victim interactionRequired
The target user must navigate to or open the crafted HTML page, making this a social-engineering-dependent attack.
Attack complexityDetail
Exploitation is rated high complexity because it requires the attacker to have already compromised the Chrome renderer process before triggering the GPU overflow.

Blast Radius

A successful attacker escapes the Chrome sandbox and executes arbitrary code at the privilege level of the browser process.
With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the browser on the host.
The attacker can write to the filesystem or modify browser-managed data, including saved passwords and stored cookies.
The attacker can crash or destabilize the browser process, causing a denial of service for the affected user.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome below 149.0.7827.53 are matched automatically against this CVE within minutes of publication. For customers with auto-remediation enabled, a rebuild at 149.0.7827.53 is triggered, a regression run is executed against the rebuilt image, and a pull request is opened against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and scan diff are staged and waiting for sign-off. Given the sandbox-escape impact, teams without auto-remediation should treat this as a priority upgrade and consider network-policy controls that restrict which internal services a compromised browser container can reach while the update is in review.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available